Malware Analysis Report

2024-11-16 13:15

Sample ID 240625-bgl34avgqm
Target 1a7da332fd0d4298acbfb24fc901d97bd71b9c247d1554dff2a3020155a87032_NeikiAnalytics.exe
SHA256 1a7da332fd0d4298acbfb24fc901d97bd71b9c247d1554dff2a3020155a87032
Tags
sality backdoor evasion trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1a7da332fd0d4298acbfb24fc901d97bd71b9c247d1554dff2a3020155a87032

Threat Level: Known bad

The file 1a7da332fd0d4298acbfb24fc901d97bd71b9c247d1554dff2a3020155a87032_NeikiAnalytics.exe was found to be: Known bad.

Malicious Activity Summary

sality backdoor evasion trojan upx

Windows security bypass

Modifies firewall policy service

Sality

UAC bypass

Executes dropped EXE

UPX packed file

Windows security modification

Loads dropped DLL

Checks whether UAC is enabled

Enumerates connected drives

Drops file in Program Files directory

Drops file in Windows directory

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

System policy modification

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-25 01:07

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-25 01:07

Reported

2024-06-25 01:09

Platform

win7-20240419-en

Max time kernel

122s

Max time network

123s

Command Line

"taskhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\f761bda C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
File created C:\Windows\f766bed C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1760 wrote to memory of 2024 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 2988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761b6d.exe
PID 2024 wrote to memory of 2988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761b6d.exe
PID 2024 wrote to memory of 2988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761b6d.exe
PID 2024 wrote to memory of 2988 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761b6d.exe
PID 2988 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\system32\taskhost.exe
PID 2988 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\system32\Dwm.exe
PID 2988 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\Explorer.EXE
PID 2988 wrote to memory of 1580 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\system32\DllHost.exe
PID 2988 wrote to memory of 1760 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\system32\rundll32.exe
PID 2988 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2988 wrote to memory of 2024 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\SysWOW64\rundll32.exe
PID 2024 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ce3.exe
PID 2024 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ce3.exe
PID 2024 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ce3.exe
PID 2024 wrote to memory of 2484 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f761ce3.exe
PID 2024 wrote to memory of 1528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763717.exe
PID 2024 wrote to memory of 1528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763717.exe
PID 2024 wrote to memory of 1528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763717.exe
PID 2024 wrote to memory of 1528 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\f763717.exe
PID 2988 wrote to memory of 1068 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\system32\taskhost.exe
PID 2988 wrote to memory of 1124 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\system32\Dwm.exe
PID 2988 wrote to memory of 1196 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Windows\Explorer.EXE
PID 2988 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Users\Admin\AppData\Local\Temp\f761ce3.exe
PID 2988 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Users\Admin\AppData\Local\Temp\f761ce3.exe
PID 2988 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Users\Admin\AppData\Local\Temp\f763717.exe
PID 2988 wrote to memory of 1528 N/A C:\Users\Admin\AppData\Local\Temp\f761b6d.exe C:\Users\Admin\AppData\Local\Temp\f763717.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761b6d.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\f761ce3.exe N/A

Processes

C:\Windows\system32\taskhost.exe

"taskhost.exe"

C:\Windows\system32\Dwm.exe

"C:\Windows\system32\Dwm.exe"

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a7da332fd0d4298acbfb24fc901d97bd71b9c247d1554dff2a3020155a87032_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a7da332fd0d4298acbfb24fc901d97bd71b9c247d1554dff2a3020155a87032_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\f761b6d.exe

C:\Users\Admin\AppData\Local\Temp\f761b6d.exe

C:\Users\Admin\AppData\Local\Temp\f761ce3.exe

C:\Users\Admin\AppData\Local\Temp\f761ce3.exe

C:\Users\Admin\AppData\Local\Temp\f763717.exe

C:\Users\Admin\AppData\Local\Temp\f763717.exe

Network

N/A

Files

memory/2024-1-0x0000000010000000-0x0000000010020000-memory.dmp

\Users\Admin\AppData\Local\Temp\f761b6d.exe

MD5 4dc3a32bfba280a103a79e97c4b30d22
SHA1 f965ac74953c198b0d0ea2b934a262e7e24a4555
SHA256 d42dd95d650381d9c4ea04a6cad5e5dd93b727986106b4c19d729fc400dad0e4
SHA512 a7190c72822552ce5bb7b069aef406d1649bd690ac30dad367086e5261021bcc30d86f44316668cbee03eaf68adb507c4c63f7d8f7b97b57fbdf58a507104541

memory/2988-11-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2024-9-0x0000000000140000-0x0000000000152000-memory.dmp

memory/2024-8-0x0000000000140000-0x0000000000152000-memory.dmp

memory/2988-16-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-18-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-15-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-21-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-23-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-19-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-17-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-14-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2024-37-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2988-48-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2988-46-0x00000000018B0000-0x00000000018B1000-memory.dmp

memory/2988-49-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2024-45-0x0000000000180000-0x0000000000181000-memory.dmp

memory/2988-22-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2024-36-0x0000000000170000-0x0000000000172000-memory.dmp

memory/1068-29-0x0000000000450000-0x0000000000452000-memory.dmp

memory/2988-20-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2484-60-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2024-58-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2024-56-0x0000000000170000-0x0000000000172000-memory.dmp

memory/2024-57-0x0000000000190000-0x00000000001A2000-memory.dmp

memory/2988-61-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-62-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-63-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-64-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-65-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-67-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-68-0x0000000000660000-0x000000000171A000-memory.dmp

memory/1528-81-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2024-80-0x0000000000140000-0x0000000000142000-memory.dmp

memory/2988-83-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-85-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-87-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2484-96-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1528-105-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2484-104-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2988-88-0x0000000000660000-0x000000000171A000-memory.dmp

memory/1528-101-0x00000000003F0000-0x00000000003F1000-memory.dmp

memory/1528-103-0x00000000003E0000-0x00000000003E2000-memory.dmp

memory/2484-102-0x0000000000220000-0x0000000000222000-memory.dmp

memory/2988-106-0x0000000000660000-0x000000000171A000-memory.dmp

memory/2988-119-0x00000000003F0000-0x00000000003F2000-memory.dmp

memory/2988-148-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2988-149-0x0000000000660000-0x000000000171A000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 150df8c489d434a0c64bab1f503ea04f
SHA1 ca8a88e0a51ac05ddd80626dff795195d2cb54f2
SHA256 e9bb86c88a4e6e80af84d384516a8a861f1b9b9b322a7d89da2495f604a85261
SHA512 0086aea5fb46c1218c91a2a154c561c2bc6542c2542c578316b0396050c8b3a8c6bdc22fdcb54f3d78e09185dd327c05ba1ccdcba80350098a46ba00b83fb501

memory/2484-161-0x0000000000900000-0x00000000019BA000-memory.dmp

memory/2484-174-0x0000000000400000-0x0000000000412000-memory.dmp

memory/2484-175-0x0000000000900000-0x00000000019BA000-memory.dmp

memory/1528-179-0x0000000000400000-0x0000000000412000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-25 01:07

Reported

2024-06-25 01:09

Platform

win10v2004-20240226-en

Max time kernel

143s

Max time network

150s

Command Line

"fontdrvhost.exe"

Signatures

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A

Sality

backdoor sality

UAC bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\7-Zip\7z.exe C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened for modification C:\Program Files\7-Zip\7zFM.exe C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened for modification C:\Program Files\7-Zip\7zG.exe C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\e57f9a2 C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File opened for modification C:\Windows\SYSTEM.INI C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
File created C:\Windows\e584c08 C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2432 wrote to memory of 4856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 4856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2432 wrote to memory of 4856 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4856 wrote to memory of 1360 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe
PID 4856 wrote to memory of 1360 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe
PID 4856 wrote to memory of 1360 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe
PID 1360 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\fontdrvhost.exe
PID 1360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\fontdrvhost.exe
PID 1360 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\dwm.exe
PID 1360 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\sihost.exe
PID 1360 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\svchost.exe
PID 1360 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\taskhostw.exe
PID 1360 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\Explorer.EXE
PID 1360 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\svchost.exe
PID 1360 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\DllHost.exe
PID 1360 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1360 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\System32\RuntimeBroker.exe
PID 1360 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1360 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\System32\RuntimeBroker.exe
PID 1360 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\System32\RuntimeBroker.exe
PID 1360 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1360 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 2432 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\rundll32.exe
PID 1360 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\SysWOW64\rundll32.exe
PID 1360 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\SysWOW64\rundll32.exe
PID 4856 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fc71.exe
PID 4856 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fc71.exe
PID 4856 wrote to memory of 4720 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e57fc71.exe
PID 4856 wrote to memory of 4632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5802ab.exe
PID 4856 wrote to memory of 4632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5802ab.exe
PID 4856 wrote to memory of 4632 N/A C:\Windows\SysWOW64\rundll32.exe C:\Users\Admin\AppData\Local\Temp\e5802ab.exe
PID 1360 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\fontdrvhost.exe
PID 1360 wrote to memory of 792 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\fontdrvhost.exe
PID 1360 wrote to memory of 388 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\dwm.exe
PID 1360 wrote to memory of 2808 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\sihost.exe
PID 1360 wrote to memory of 2848 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\svchost.exe
PID 1360 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\taskhostw.exe
PID 1360 wrote to memory of 3372 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\Explorer.EXE
PID 1360 wrote to memory of 3564 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\svchost.exe
PID 1360 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\system32\DllHost.exe
PID 1360 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
PID 1360 wrote to memory of 3972 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\System32\RuntimeBroker.exe
PID 1360 wrote to memory of 4056 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
PID 1360 wrote to memory of 4108 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\System32\RuntimeBroker.exe
PID 1360 wrote to memory of 4800 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\System32\RuntimeBroker.exe
PID 1360 wrote to memory of 2272 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
PID 1360 wrote to memory of 3848 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 1292 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3312 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3112 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4128 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 3892 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1360 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Users\Admin\AppData\Local\Temp\e57fc71.exe
PID 1360 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Users\Admin\AppData\Local\Temp\e57fc71.exe
PID 1360 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Users\Admin\AppData\Local\Temp\e5802ab.exe
PID 1360 wrote to memory of 4632 N/A C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe C:\Users\Admin\AppData\Local\Temp\e5802ab.exe
PID 4632 wrote to memory of 784 N/A C:\Users\Admin\AppData\Local\Temp\e5802ab.exe C:\Windows\system32\fontdrvhost.exe

System policy modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" C:\Users\Admin\AppData\Local\Temp\e5802ab.exe N/A

Processes

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\fontdrvhost.exe

"fontdrvhost.exe"

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\sihost.exe

sihost.exe

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\System32\RuntimeBroker.exe

C:\Windows\System32\RuntimeBroker.exe -Embedding

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe

"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --no-startup-window

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=122.0.6261.70 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=122.0.2365.52 --initial-client-data=0x23c,0x240,0x244,0x238,0x214,0x7ff825262e98,0x7ff825262ea4,0x7ff825262eb0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2740 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=2800 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=3096 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --mojo-platform-channel-handle=5408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --mojo-platform-channel-handle=5544 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:1

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a7da332fd0d4298acbfb24fc901d97bd71b9c247d1554dff2a3020155a87032_NeikiAnalytics.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\1a7da332fd0d4298acbfb24fc901d97bd71b9c247d1554dff2a3020155a87032_NeikiAnalytics.dll,#1

C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe

C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe

C:\Users\Admin\AppData\Local\Temp\e57fc71.exe

C:\Users\Admin\AppData\Local\Temp\e57fc71.exe

C:\Users\Admin\AppData\Local\Temp\e5802ab.exe

C:\Users\Admin\AppData\Local\Temp\e5802ab.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2316 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
GB 172.217.169.74:443 tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 3.17.178.52.in-addr.arpa udp

Files

memory/4856-0-0x0000000010000000-0x0000000010020000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\e57f6b4.exe

MD5 4dc3a32bfba280a103a79e97c4b30d22
SHA1 f965ac74953c198b0d0ea2b934a262e7e24a4555
SHA256 d42dd95d650381d9c4ea04a6cad5e5dd93b727986106b4c19d729fc400dad0e4
SHA512 a7190c72822552ce5bb7b069aef406d1649bd690ac30dad367086e5261021bcc30d86f44316668cbee03eaf68adb507c4c63f7d8f7b97b57fbdf58a507104541

memory/1360-4-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1360-6-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-10-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-12-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-16-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4856-23-0x0000000000E60000-0x0000000000E62000-memory.dmp

memory/1360-29-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/4720-34-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1360-31-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/4856-30-0x0000000000E60000-0x0000000000E62000-memory.dmp

memory/1360-27-0x0000000001BC0000-0x0000000001BC1000-memory.dmp

memory/4856-25-0x0000000000E80000-0x0000000000E81000-memory.dmp

memory/4856-22-0x0000000000E60000-0x0000000000E62000-memory.dmp

memory/1360-15-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-17-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-13-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-11-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-9-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-8-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-36-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-35-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4632-41-0x0000000000400000-0x0000000000412000-memory.dmp

memory/1360-45-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-47-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-46-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-49-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-50-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-51-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-53-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-57-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-54-0x0000000000760000-0x000000000181A000-memory.dmp

memory/4720-59-0x00000000001F0000-0x00000000001F1000-memory.dmp

memory/4632-63-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4720-64-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/4632-65-0x00000000001F0000-0x00000000001F2000-memory.dmp

memory/4632-62-0x0000000000570000-0x0000000000571000-memory.dmp

memory/4720-60-0x00000000001E0000-0x00000000001E2000-memory.dmp

memory/1360-66-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-67-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-71-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-73-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-75-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-76-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-80-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-81-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-87-0x0000000001BB0000-0x0000000001BB2000-memory.dmp

memory/1360-91-0x0000000000760000-0x000000000181A000-memory.dmp

memory/1360-101-0x0000000000400000-0x0000000000412000-memory.dmp

C:\Windows\SYSTEM.INI

MD5 30c82a77e1e452074b3b9b4578bc14f6
SHA1 7ce5ccba8ae6132583e965fb70fa43ca3d2e190c
SHA256 54a104616a08986c02166fa938349a0b107387beb835038adb5edd5078cbed90
SHA512 4171eff8009252625ff4c2933914f33921599abae976971f2c73d0ed547256841069b0d24e4f02eaea85846b5d1f277964e7fb129b9826e7acd0b8a84df98180

memory/4632-118-0x0000000000B20000-0x0000000001BDA000-memory.dmp

memory/4720-122-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4632-140-0x0000000000400000-0x0000000000412000-memory.dmp

memory/4632-139-0x0000000000B20000-0x0000000001BDA000-memory.dmp